Failures of Information Security: Observing the World and Asking Why

By Adam Shostack and Andrew Stewart, Addison-Wesley Professional |  Security, data breach, information security

Another attack that uses email is phishing. Phishing is the art of sending fraudulent emails designed to look like they are from a company such as a bank. The phisher’s goal is to lure people into visiting a web site that looks like their bank’s real web site. The phisher (or an associate) then uses the fake but authentic-looking web site to convince people to provide personal information such as usernames, passwords, or mother’s maiden name. The attacker then takes that information and uses it to access the victim’s real bank account. Unpleasantness ensues.

At its root, phishing is a fraud that exists because of the difficulty of authentication—verifying that an entity is who it claims to be. It can be hard to identify the real sender of an email. It can be hard to tell whether a web site really belongs to a given bank. Banks and other institutions that conduct business online have the same problem in reverse. They can find it difficult to identify their customers when someone shows up at their web site to log in. As with spam, the ability to perform phishing attacks is facilitated by the global, largely anonymous nature of the internet. In January 2006, more than six billion emails were recorded as part of 15,000 different phishing scams.

Criminals use phishing attacks because they work. In a test of people’s ability to distinguish real email from fake, only 6% got all the answers right, and only half of real emails were recognized as being real. Even so, many companies that do business online have not yet adopted some simple measures that would help protect their customers. Phishing attacks use fake web sites to harvest the personal information of victims, so companies that do business online should advise their customers to never click a hyperlink in an email. Companies should also never send their customers links in an email. Customers should be told that whenever they want to visit the company online, they should use a bookmarked web address, and that web address should ideally be delivered using traditional postal mail. (This advice is intended for those companies that have ongoing relationships with their customers, and who send them occasional alerts.) Rather than take these measures, many companies have instead made things more difficult for their customers by registering new web addresses, using confusing web addresses, and using certain technologies in their web pages that make it easier for fraudsters to camouflage their actions.

To be fair, some companies have sought to address the problem of phishing by implementing a new breed of authentication technologies. In theory, these products help the customers identify when they are at a real web site rather than a fake. In practice, they don’t seem to work. For example, in a 2007 study, one of the market-leading products in this space was shown to be ineffective 92% of the time.

Join us:






Ask a Question